Privilege elevation for graphical applications

This article provides methods for using graphical applications to perform privileged tasks such as mounting filesystems, partitioning drives, and editing system files. Running the entire graphical application as root should be avoided because:

It could inadvertently modify file permissions in your home directory.
Most of the graphical code has not been audited to run with higher permissions.

Perform privileged actions in GUI applications

Privilege elevation with polkit

polkit allows unprivileged GUI applications to perform certain prearranged actions that require special permissions. If the application comes with polkit support, and there is a functioning polkit agent, then you should automatically be prompted for credentials when necessary.

To find applications on your system that support polkit, you can start by seeing what packages require it in pacman -Qi polkit. Additionally, each supporting application installs one or more policy into /usr/share/polkit-1/actions/. Some polkit programs are user-facing applications such as gparted, whereas others are shared utilities used by other applications. As an example, many file managers use udisks or gvfs to mount filesystems upon request.

File editing

These are application-agnostic methods for editing files not normally accessible and/or writable.

sudoedit

For one-off edits to system files, sudoedit can be used to edit a temporary unprivileged copy in your editor.

GVFS

Access to privileged files and directories is possible through GVFS by specifying the admin backend in the URI scheme[1][2], e.g.:

$ nautilus admin:///root/

or

$ gedit admin:///etc/fstab

Tip This can also be done from the application location bar/file selector: e.g. in nautilus or gedit, type Ctrl+l and then prepend the admin:// scheme to the resource path. The same effect can be attained via the Other locations server address bar.

kio-admin

KIO Admin Worker provides an admin:// URI within supported KIO applications such as Dolphin, allowing privileged file operations.

Install kio-admin to gain support for this functionality.

Run GUI applications as root

Warning All of the following methods have security implications that users should be aware of. As described by Emmanuele Bassi, a GNOME developer:

[...] there are no *real*, substantiated, technological reasons why anybody should run a GUI application as root. By running GUI applications as an admin user you are literally running millions of lines of code that have not been audited properly to run under elevated privileges; you are also running code that will touch files inside your $HOME and may change their ownership on the file system; connect, via IPC, to even more running code, etc.

You are opening up a massive, gaping security hole [...].

Xorg

By default, and for security reasons, root will be unable to connect to a non-root user's X server. There are multiple ways of allowing root to do so however, if necessary.

Polkit

The proper, recommended way to run GUI applications under X with elevated privileges is to create a Polkit policy, as shown in this forum post.

This should however "only be used for legacy programs", as pkexec(1) reminds. Applications should rather "defer the privileged operations to an auditable, self-contained, minimal piece of code that gets executed after doing a privilege escalation, and gets dropped when not needed"[3]. This may be the object of a bug report to the upstream project.

Punctual methods

These methods wrap the application in an elevation framework and drop the acquired privileges once it exits:

kdesu(1) (from kde-cli-tools)

$ kdesu application

sudo (must be properly configured)

$ sudo application

sux^AUR (wrapper around su which will transfer your X credentials)

$ sux root application

Alternate methods

These methods will allow root to connect to a non-root user's X server, but present varying levels of security risks, especially if you run ssh. If you are behind a firewall, you may consider them to be safe enough for your requirements.

Xhost

Xhost can be used to temporarily allow root access.

Permanently allow root access

Method 1: Add the line

session         optional        pam_xauth.so

to both /etc/pam.d/su and /etc/pam.d/su-l. Then switch to your root user using su or su -.

Method 2: Globally in /etc/profile

Add the following line to /etc/profile:

/etc/profile

export XAUTHORITY=/home/username/.Xauthority

This will permanently allow root to connect to a non-root user's X server.

Or, merely specify a particular app:

# XAUTHORITY=/home/username/.Xauthority appname

where appname is the name of the particular app. (e.g. kwrite)

Wayland

Trying to run a graphical application as root via su, sudo or pkexec in a Wayland session (e.g. GParted or Gedit), will fail with an error similar to this:

# gedit

No protocol specified
Unable to init server: Could not connect: Connection refused

(gedit:2349): Gtk-WARNING **: cannot open display: :0

Wayland applications

This section pertains only to native Wayland applications which are not running under XWayland.

Using sudo -E

You can launch an application with:

$ sudo -E program

which preserves environment variables like WAYLAND_DISPLAY.

If you want the HOME environment variable to be set to the target user, use:

$ sudo -EH program

See sudo(8).

Using pkexec

You can launch GUI an application with:

$ pkexec env WAYLAND_DISPLAY="$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY" XDG_RUNTIME_DIR=/run/user/0 program

which preserves the environment variable WAYLAND_DISPLAY.

XWayland

Under XWayland, Xorg workarounds do not work anymore as the default has been made to only allow the user who started the X server to connect clients to it (see the bug report and the upstream commits it refers to).

One workaround is to use xhost to temporarily allow the root user to access the local user's X session[4]. To do so, execute the following command as the current (unprivileged) user:

$ xhost si:localuser:root

To remove this access after the application has been closed:

$ xhost -si:localuser:root